美国当地时间7月6日晚,微软公司向全球用户发布了最新的安全通告(Security Advisory 972890),证实了Windows XP、Windows Server2003系统的视频控件中存在一个漏洞.
利用该漏洞,黑客可在用户使用IE浏览器时,无需用户做任何操作就能获得对用户电脑的本地控制权.微软声称,互联网上已经出现针对这一漏洞的攻击.
微软在通告中表示,目前尚未发现针对该视频控件全部类标识的恶意利用,但建议Windows XP和Windows Server 2003的用户取消IE浏览器对所列类标识的支持.虽然Vista和Windows 2008用户不受该漏洞的影响,但微软亦建议这些用户取消对该控件的支持.用户可通过手工设置注册表的方式,来禁止IE浏览器中运行视频控件.
微软在通告中声称,目前正全力研制漏洞补丁,但并未透露发布安全补丁的具体日期.据悉,该漏洞由DirectShow视频开发包的相关组件产生,与今年5月曝出的“DirectShow视频开发包”0day漏洞属于同一类型,极易被黑客利用进行“网页挂马”攻击,使访问者的电脑自动下载安装任意木马程序.
附原文:
Microsoft Security Advisory (972890)
Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution
Published: July 06, 2009
Version: 1.0
Microsoft is investigating a privately reported vulnerability in Microsoft Video ActiveX Control. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.
We are aware of attacks attempting to exploit the vulnerability.
Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control. For Windows XP and Windows Server 2003 customers, Microsoft is recommending removing support for this ActiveX Control within Internet Explorer using all the Class Identifiers listed in the Workaround section. Though unaffected by this vulnerability, Microsoft is recommending that Windows Vista and Windows Server 2008 customers remove support for this ActiveX Control within Internet Explorer using the same Class Identifiers as a defense-in-depth measure.
Customers may prevent the Microsoft Video ActiveX Control from running in Internet Explorer, either manually using the instructions in the Workaround section or automatically using the solution found in Microsoft Knowledge Base Article 972890. By preventing the Microsoft Video ActiveX Control from running in Internet Explorer, there is no impact to application compatibility.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
Microsoft is currently working to develop a security update for Windows to address this vulnerability and will release the update when it has reached an appropriate level of quality for broad distribution.
Mitigating Factors:
| • |
Customers who are using Windows Vista or Windows Server 2008 are not affected because the ability to pass data to this control within Internet Explorer has been restricted.
|
| • |
By default, Internet Explorer on Windows Server 2003 and 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.
|
| • |
By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.
|
| • |
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.
|
| • |
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
|
Purpose of Advisory: To provide customers with initial notification of the vulnerability and to provide information to help protect customers.
Advisory Status: Issue Confirmed, Security Update Planned
Recommendation: Review the suggested actions and configure as appropriate.
This advisory discusses the following software.
|
Windows XP Service Pack 2 and Windows XP Service Pack 3
|
|
Windows XP Professional x64 Edition Service Pack 2
|
|
Windows Server 2003 Service Pack 2
|
|
Windows Server 2003 x64 Edition Service Pack 2
|
|
Windows Server 2003 with SP2 for Itanium-based Systems
|
|
Microsoft Windows 2000 Service Pack 4
|
|
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
|
|
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
|
|
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
|
|
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
|
|
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
|
What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting Microsoft Video ActiveX Control. This affects the operating systems listed in the Overview section.
Is this a security vulnerability that requires Microsoft to issue a security update?
Microsoft is currently working to develop a security update for Windows to address this vulnerability. Microsoft will release the security update once it has reached an appropriate level of quality for broad distribution.
What is the Microsoft Video ActiveX Control?
The Microsoft Video Control object is a Microsoft ActiveX control that connects Microsoft DirectShow filters for use in capturing, recording, and playing video. It is the main component that Microsoft Windows Media Center uses to build filter graphs for recording and playing television video.
What causes this threat?
When the ActiveX control is used in Internet Explorer, the control may corrupt the system state in such a way that an attacker could run arbitrary code.
What might an attacker use this vulnerability to do?
If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Review the Microsoft Knowledge Base Article that is associated with this advisory
Customers who are interested in learning more about this issue should review Microsoft Knowledge Base Article 972890.
Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:
| • |
Prevent Microsoft Video ActiveX Control from running in Internet Explorer
Note See Microsoft Knowledge Base Article 972890 for information on how to implement this workaround automatically.
You can disable attempts to instantiate a COM object in Internet Explorer by setting the kill bit for the control in the registry.
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
For detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow the steps in this article to create a Compatibility Flags value in the registry to prevent a COM object from being instantiated in Internet Explorer.
The following Class Identifiers relate to Microsoft Video ActiveX Control:
|
{011B3619-FE63-4814-8A84-15A194CE9CE3}
|
|
{0149EEDF-D08F-4142-8D73-D23903D21E90}
|
|
{0369B4E5-45B6-11D3-B650-00C04F79498E}
|
|
{0369B4E6-45B6-11D3-B650-00C04F79498E}
|
|
{055CB2D7-2969-45CD-914B-76890722F112}
|
|
{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}
|
|
{15D6504A-5494-499C-886C-973C9E53B9F1}
|
|
{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}
|
|
{1C15D484-911D-11D2-B632-00C04F79498E}
|
|
{1DF7D126-4050-47F0-A7CF-4C4CA9241333}
|
|
{2C63E4EB-4CEA-41B8-919C-E947EA19A77C}
|
|
{334125C0-77E5-11D3-B653-00C04F79498E}
|
|
{37B0353C-A4C8-11D2-B634-00C04F79498E}
|
|
{37B03543-A4C8-11D2-B634-00C04F79498E}
|
|
{37B03544-A4C8-11D2-B634-00C04F79498E}
|
|
{418008F3-CF67-4668-9628-10DC52BE1D08}
|
|
{4A5869CF-929D-4040-AE03-FCAFC5B9CD42}
|
|
{577FAA18-4518-445E-8F70-1473F8CF4BA4}
|
|
{59DC47A8-116C-11D3-9D8E-00C04F72D980}
|
|
{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}
|
|
{823535A0-0318-11D3-9D8E-00C04F72D980}
|
|
{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}
|
|
{8A674B4C-1F63-11D3-B64C-00C04F79498E}
|
|
{8A674B4D-1F63-11D3-B64C-00C04F79498E}
|
|
{9CD64701-BDF3-4D14-8E03-F12983D86664}
|
|
{9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}
|
|
{A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}
|
|
{A2E3074E-6C3D-11D3-B653-00C04F79498E}
|
|
{A2E30750-6C3D-11D3-B653-00C04F79498E}
|
|
{A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}
|
|
{AD8E510D-217F-409B-8076-29C5E73B98E8}
|
|
{B0EDF163-910A-11D2-B632-00C04F79498E}
|
|
{B64016F3-C9A2-4066-96F0-BD9563314726}
|
|
{BB530C63-D9DF-4B49-9439-63453962E598}
|
|
{C531D9FD-9685-4028-8B68-6E1232079F1E}
|
|
{C5702CCC-9B79-11D3-B654-00C04F79498E}
|
|
{C5702CCD-9B79-11D3-B654-00C04F79498E}
|
|
{C5702CCE-9B79-11D3-B654-00C04F79498E}
|
|
{C5702CCF-9B79-11D3-B654-00C04F79498E}
|
|
{C5702CD0-9B79-11D3-B654-00C04F79498E}
|
|
{C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}
|
|
{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}
|
|
{D02AAC50-027E-11D3-9D8E-00C04F72D980}
|
|
{F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}
|
|
{FA7C375B-66A7-4280-879D-FD459C84BB02}
|
Note The Class Identifiers and corresponding files where the ActiveX objects are contained are documented in the table above. Replace {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} below with the Class Identifier found in this table.
To set the kill bit for a CLSID with a value of {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}]
"Compatibility Flags"=dword:00000400
You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:
Note You must restart Internet Explorer for your changes to take effect.
Impact of Workaround: There is no impact as long as the object is not intended to be used in Internet Explorer.
|
Acknowledgements:
Microsoft thanks the following for working with us to help protect customers:
| • |
Ryan Smith and Alex Wheeler of Hustle Labs of ISS X-Force for initially reporting the Microsoft Video ActiveX Control Remote Code Execution Vulnerability (CVE-2008-0015)
|
Resources:
Disclaimer:
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
| • |
V1.0 (July 6, 2009): Advisory published.
|
原文地址: http://www.microsoft.com/technet/security/advisory/972890.mspx
